Case Study: Data Masking Process


HSBC is one of the largest banking and financial services organizations in the world with operations in 65 countries and territories. In order to be compliant with the multitude of data privacy laws and regulations their global business operated under, a large consulting firm was hired to design a control process for the use of sensitive production data in non-production environments. Unfortunately, the resulting process had critical shortcomings and failed to adequately resolve HSBC’s data privacy challenges.


  • No clear global policy defining what constitutes personally-identifying information (PII)
  • First attempt, the Service Level Agreements (SLAs) in non-production environments could not be enforced or even established
  • Data masking could not be completed due to lack of resource expertise and availability
  • Initial consultant’s process was implemented for 6 months and had serious shortcomings since it could not: Verify that applications teams had masked sensitive data
  • Track application teams needing exceptions
  • Without a way to address these issues, the client could not scale the process to include all application data in non-production environments which was the original goal.


Axis designed and implemented a new process that uses a DaaS (Data as a Service) approach, making masking simple and efficient. The process is broken into distinct types of requests, each having unique process maps for the business users and the internal Data Privacy Services (DPS) team.


The Axis Data Process Design solution went live in September 2019 and delivered outstanding results:

  • Requests increased from 59 to 138 in the first week of the new process
  • SLAs were cut from 6 months to just 6 weeks
  • Feedback indicated the new process was clear, concise, and easy-to-follow
  • A portal was created for application teams to track the progress of their masking requests
    Application teams were able to implement masking in a consistent, uniform fashion worldwide
  • HSBC was able to integrate their corporate data protection standards into the software development process with minimal impact on the development process

In addition to creating the new process, Axis also implemented the following organizational and operational changes:

  • Created company-wide Personally-Identifying Information policy
  • Create a dedicated Data Privacy Service (DPS) team to Desktop as a Service (DaaS) Trained the DPS team to handle exceptions and mask data
  • Implemented Atlassian Jira Service Desk to provide feedback to teams Established strict Service Level Agreements (SLAs) enforced by the DPS Team
  • Published Standard Operating Procedures (SOP)

Axis designed and implemented a new data privacy solutions process that delivered outstanding results, including increasing requests from 59 in the previous year to 138!